[Dshield] reverse DNS pointing to localhost ?

Whoever administers DNS for that IP block has misconfigured things so
that the IP resolves back to "localhost." I tried a couple of
neighboring IPs and they're resolving the same way, so the entire block
is probably affected. The good news, it's not your IDS.
-s
On Fri, 12 Dec 2008 10:14:49 +0100
Stephane Grobety <security at admin.fulgan.com> wrote:
> Hello folks.
>>> I don't know if there is still anyone around, but if there is, maybe
> someone can explain to me what I'm seeing here.
>> Basically, I have a server sitting outside my perimeter firewall
> (hosted in a collocation center). That server has a host-based firewall
> installed as well as an IPS.
>> Among the number of log entries created by the firewall and IPS, I
> found several that where refering to the server's one host name as
> source IP address. I was a bit surprised by this so I looked in more
> detail (to make sure the server itself wasn't infected by some nasty
> bug). The actual source IP address had nothing to do with any of the
> ones on the server: 123.30.51.252
>> I did a reverse on that IP and got
>>> PTR-record for 252.51.30.123.in-addr.arpa:
> Points to = localhost
> TTL = 67739 (18 hours, 48 minutes, 59 seconds)
>> It seems that, somehow, the IPS log subsystem replaced "localhost" in
> the log by the server host name.
>> The triggering packets are UDP to the SQL server port (1434) which are
> tagged as "slammer worm".
>> Anyone got an explanation ?
>> _______________________________________________
> Dshield mailing list
>Dshield at lists.sans.org> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list